Ransomware: To pay or not to pay?

10/15/2021
G DATA Blog

Recently, several magazines have repeatedly covered how to protect against and recover from ransomware attacks. However, many companies and individuals are left with the question of whether they would pay in the event of a potential future ransomware attack.

What if they would consider paying? Is it a viable option? What are the risks? Should they disclose this to regulators, shareholders or the public? How should you prepare for this decision? While I am not at all suggesting that organisations should pay ransoms, I do recognise that this option exists. But the question stands: is it a good idea to pay?

Quick reminder on ransomware

I think we all know what ransomware is by now. But just in case you have been living under a proverbial rock for at least the past 10 years, here is the low-down: ransomware is a form of malware that cybercriminals use to deny access to or availability of systems or data. The criminals hold systems or data hostage until the ransom is paid. After gaining access to a network, they deploy ransomware on shared storage drives and other accessible systems. If demands are not met, the system or encrypted data remains unavailable or the data is deleted. A frequently emerging tactic of these cybercriminals is to steal sensitive data and threaten to make it public if the ransom is not paid, further extorting affected businesses.This is also referred to as “double extortion”. However, the more than 31-year-old problem called “ransomware” continues to haunt us. And the chances of either the threat disappearing or people ceasing to make payments any time soon is very slim indeed.

The risks

Although it seems that most people or companies who pay receive a decryption key or a decryption tool, paying a ransom does not guarantee that an organisation will regain access to their data – be it because the either never receive a decryption tool or key or because of sloppy programming on the part of the criminals. The latter also makes it impossible to decrypt data, even with a valid decryption key. Another reason for discouraging ransom payments by the affected company or insurer raises questions as to whether the payment could amount to financing criminal groups, terrorism, rogue states and/or violating anti-money laundering laws. A problem that was recently raised in the US. On top of this comes the fact that paying a ransom encourages criminals to target other organisations or companies. It is of course understandable that when companies can no longer function, executives will consider all options to protect their shareholders, employees and customers.

Law enforcement authorities are not at all in favour of paying ransoms for these exact reasons.
The decision to pay a ransomware claim should be made carefully, with recognition and acceptance of the risks and in consultation with various stakeholders including, for example, legal counsel, law enforcement, your cyber insurer and security experts. There are also those who argue that paying a ransom should be evaluated like any other business decision.

The average ransomware attack can also take weeks and there are, of course, real costs associated with keeping a company offline for days. Lost productivity can quickly become (and in some cases has become) the biggest item on the bill. Of course, you have to weigh up all the costs, from restoring the network to the cost of consultants and whether they will cover the ransom. Other factors to consider include loss of brand reputation, customer satisfaction and potential legal liability.

It sometimes turns out that paying a ransom is the least expensive option which will probably sway the votes of most businesses towards the lesser of two evils, i.e. paying the ransom.

Paying

The question - what percentage of companies pay ransom - is always difficult to answer, especially since a lot of ransomware victims do not report or disclose the ransomware incident despite the GDPR and other mandatory reporting rules in various countries. Several polls from some companies in the security industry indicate that this percentage would be between 30% and 55%. My personal feeling and my knowledge of the global business world indicates that it will be rather around 55%, if not more. G DATA’s recent publication seems to back this fact, stating that many cases go unreported because the affected organizations see no point in it. The reason most often stated is that law enforcement will never catch the perpetrators anyway.

And that is precisely the problem. Now let us look at the issue from the perspective of a criminal: Wouldn’t you as a company also invest in an ‘idea’ where you are more than 50% sure that it will pay off? On the upside, the upfront costs for cybercriminals are low. Yes, there are costs: creating the malware, quality assurance (yes, this is a thing, even for malware), the encryption algorithm, setting up the possible botnet for spreading the phishing email through which the malware will be installed, or searching for the unpatched servers on the Internet. Much of the aforementioned overhead is even available “as a service”. And then there is the time it takes to explore the network and get the data off it. To make matters worse, the criminals will rent out parts of the code so they can cover their own costs.  Looks like a sound business model, huh?

The catalyst

And then the catalyst of the whole ransomware industry comes into the picture and that is … crypto currencies, with Bitcoin having become a catch-all term for any crypto currency. The cash of the 21st century ... and then we all want to get rid of cash, don't we? Digital crypto currencies are just digital cash in a nice package called blockchain. But crypto currencies - like cash - unfortunately provide the untraceable element, the anonymous aspect of the recipient, unless of course you can keep an eye on who is behind certain wallets.

If crypto currencies (and the ease of paying with them) did not exist, I think we would not see any ransomware. Transferring money to other accounts is so easy to track via the old way. We would be rid of it but I fear we cannot reverse it.

Do you have to pay then? Personally, I would say “never”. Because you really are supporting the wrong (read criminal) economy. Do you pay millions of euros to those who attacked you? It might provide you with a decryption key to help you recover your systems... but it also encourages others to carry out ransomware attacks in the future, not only against your own company but also against other organisations or companies around the world.

Of course, you can always negotiate with the criminals to get a cheaper price. Really? There are also  'security' companies that can help you with this by providing professional negotiators who help you with the payment and the negotiation with the cybercriminals. The catch: these negotiation services are often tied to the purchase of a certain product. This is where I have a massive issue because I think this is somewhat unethical.  A negotiation service in itself is very useful, but using this to leverage the sale of a product is...let's say "questionable". Also a nice business model, sure, but deontologically on (or even over) the edge, I think.

Prevention and solution

Most ransomware attacks can actually be defeated and prevented. It's a combination of a good security policy, backups, patching, various layered security solutions and also don't forget to address the human factor (the typical weakest link) in the story through security awareness training.

But how do we finally solve the ransomware issue? There are a few options there.

  1. Abolish or restrict crypto currencies. However, I fear that this is a utopia.
  2. Make ransomware payments illegal worldwide. This would mean affected companies are caught between a rock and a hard place: either risk the company going under or break the law.
  3. Don't look at a ransomware attack as a cyber or malware attack, but look at it as an attack, in some cases a terrorist attack (e.g. if infrastructure or a hospital is involved).

The latter is what people in the US are thinking of after the company Colonial Pipeline, which operates the largest pipeline in the US, had to shut down for a week (May 2021) following a ransomware attack. And I think that the same will be reconsidered after the big supply chain ransomware attack on Kaseya. A big attack like this should be considered as cyber terrorism and legally handled like that. The main objective of terrorism of any sort, regardless of it’s motivation, is to destabilize governments and undermine the population’s trust in authorities and law enforcement, and not so much the immediate effects of an attack. If people feel that nobody can protect them, especially in this day and age, threats like this must be met with decisive and targeted action. Open commitment is nice, but actions must follow. In this context it might be interesting to know that in a meeting of experts on ransomware from 30 countries, no representatives from Russia were invited. This can be interpreted as consequence from repeated accusations that Russian authorities, although they are not actively supporting ransomware groups, at least give them what news agency Reuters calls "tacit approval". However, officials also point out that "active discussions with the Russians are taking place".

All points are problems for governments that may not be so easy to tackle, let alone apply globally. Who knows, maybe something for the EU? Unrealistic you say? Let's have the discussion again in 7 years. Will technology solve this conundrum? If you think “Yes”, then you have underestimated the human factor.

'NEVER' pay the ransom ... well, maybe if people's lives depend on it. Or should we watch more Netflix series where this is advised against?

Eddy Willems
Security Evangelist